Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi lan (VLAN) and multi wan

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      robik
      last edited by

      Hello,
      Iˇm very frustrating with configuring our building with pfsense. Now we have new requirements and I can't configure it.
      I have

      • 1 LAN NIC with configured VLANS (3 VLANS via OPT iface, assigned on NIC)
      • 3 wan nic - 2 ISP

      We have lot of clients.
      LAN_INTERNAL - internal clients - VLAN 10 - using LAN (servers, printers etc) and WAN 1 for internet access.
      LAN_VYT internal clients - VLAN 15 - one department do internal clients - using LAN (servers, printers - the same as VLAN 10 clients), and WAN 2
      LAN_PUBLIC - public - VLAN 20 - public wifi for public clients to WAN 3

      LAN_PUBLIC is good, it use own IP and own DHCP - I can set gateway to WAN 3. No problem.

      However, because I need connect VLAN 10 and VLAN 15 because they both using same printers, servers, and need to see each others I configured bridge - members are ifaces with VLAN 10 and VLAN 15 assigned - and assigned this to new LAN_BRIDGE iface. This iface have own address (10.8.1.1/14) and own DHCP (10.8.4.1 - 250). All working well - clients on both VLANS are in same subnet, they see each others, servers, printers etc. But I cannot setup using WAN 1 for VLAN 10 clients (LAN_INTERNAL) and WAN 2 for VLAN 15 clients (LAN_VYT) because all request to internet is sending from LAN_BRIDGE and I can't distinguish by something who are from VLAN 10 and who from VLAN 15. I can setting firewall rule on LAN_INTERNAL and LAN_VYT, but only on inter-LAN connection (they are requested from LAN_INTERNAL and LAN_VYT) but no for internet - connections are requested from LAN_BRIDGE.

      So - how can I setting other gateway for users on LAN_VYT bridged interface?
      Sorry for my bad english and my cunfused description. I hope it's understandable.
      Thank you toooooooo much.
      Rob

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        You can put filter rules on the member interfaces.  You can just pass the traffic and set a mark, say INTERNAL and VYT, as appropriate. (Setting and matching marks is in the Advanced section, Advanced button of the rule settings)

        Then, on your pass rules on the bridge interface, just make two.  One that matches the mark INTERNAL and sets the gateway and one that matches the mark VYT and sets the other gateway.  Or maybe one that matches a mark then below it another one for all other traffic regardless of mark so you don't bang your head against the wall later forgetting about all the marks.

        Pretty sure you need net.link.bridge.pfil_member and net.link.bridge.pfil_bridge both set to 1 for this to work.

        Never tried this.  Seems like it should work.

        There are probably a bunch of different ways to do it.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • R Offline
          robik
          last edited by

          Thanks a lot for reply.
          wow, nice feature, I never heard about this in pfsense, thanx for info
          but unusable in this case - I don't know why, but all packets from member interface to internet, bypass member interface firewall rule. For example, if I set deny rule for ICMP to 8.8.8.8 in member interface, ping still working, and in firewall log is sourece iface LAN_BRIDGE.
          I logging all rules now on member iface and LAN_BRIDGE, and seems like all internal traffic beteween LANs has source iface LAN_VYT or LAN_INTERNAL, but if it's traffic to internet, source iface in log is LAN_BRIDGE.
          For example 2 - if i delete any-any-any pass rule from member iface, cannot access form LAN_INTERNAL to LAN_VYT and vice versa. But still I can access to internet..
          :(

          Thanx
          Rob

          EDIT: And yes, I have net.link.bridge.pfil_member and net.link.bridge.pfil_bridge both set to 1

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.